1. Field of the Invention
Methods and apparatuses consistent with the present invention relate to determining whether a target code is a malicious code, and more particularly, to an apparatus and method which can compare a code signature extracted from a target code with a malicious code immunization signature or a normal code immunization signature stored in an immunization database, and determine whether the target code is a malicious based on a result of the comparison.
2. Description of Related Art
In current information industry society, computers are being used in various fields of living, works, and the like. With the distribution of computers, malicious codes were also generated to result in behaviors that conflict with a user's intent. The malicious codes may cause malfunctions of computers, damage to data, and leakage of user information, or may be for crimes such as hacking. Specifically, the malicious codes may bring various types of damages. As the Internet becomes popular among users, the malicious codes have been also rapidly distributed. Therefore, computer users are aware that they must be careful about the malicious code.
Also, as hardware of a portable device is being improved and application programs to be executed in the portable device are being diversified and becoming more complex, malicious code that usually attack computers may cause serious damage even in the portable device. In particular, with proliferation of portable Internet services, such as wireless Internet services and the like, various types of malicious codes may cause malfunctions of the portable device, delete data, leak user information, and the like. Examples of the malicious codes include malicious codes that attack a vulnerability of existing computer application programs and mobile malwares that attack a vulnerability of services and application programs of the portable device such as Bluetooth, a Multimedia Messaging system (MMS), and the like.
A known malicious code detection method may include a signature-based detection method. The malicious code detection method makes signatures of a known virus for inclusion into a database, stores the signatures in a memory, compares input data with the database, and detects a matched signature and thereby detects the malicious code. The signature is a characteristic pattern of the virus. As a number of known malicious codes increases, the size of the database storing signatures is also enlarged. In this case, there occur problems such as overhead of a central processing unit (CPU), overhead of memory, and limiting power consumption when power is limited such as in a portable device.
When a new malicious code appears, a computer employing the above technology may have difficulty in detecting the new malicious before the new malicious code is reported in an updated database. In addition, a large number of computers may be exposed to dangers of the malicious code until the computers cope with the malicious code after the spreading thereof
Protecting a computer from malicious codes to enable the computer to perform normal functions may be similar to that of an immune system of a human body which protects the human body from viruses or microorganisms. Some researchers studying computer viruses or malicious codes have shared their feelings about the similarity between computer viruses and viruses of the human body, and attempted to introduce a mechanism that models the immunity system of the human body. A representative example may include research results that were obtained from an IBM anti-virus research team. They concentrated on the mechanism in which the immune system gives warning to neighboring cells against infection when the immune system detects the infection. They focused on realization of a function to prevent an spread of a virus when a computer is infected with the virus and a malfunction occurs.